CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.4 and Version 2.5  
ID

Differences between Version 2.4 and Version 2.5

Summary
Summary
Total (Version 2.5) 940
Total (Version 2.4) 920
Total new 20
Total deprecated 2
Total shared 920
Total important changes 57
Total major changes 75
Total minor changes 5
Total minor changes (no major) 2
Total unchanged 843

Summary of Entry Types

Type Version 2.4 Version 2.5
Category 176 186
Chain 3 3
Composite 6 5
Deprecated 12 14
View 29 31
Weakness 694 701

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 11 0
Description 16 2
Applicable_Platforms 15 0
Time_of_Introduction 2 0
Demonstrative_Examples 5 3
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 4 0
Relationships 47 0
References 10 0
Potential_Mitigations 11 0
Observed_Examples 5 0
Terminology_Notes 7 0
Alternate_Terms 0 0
Related_Attack_Patterns 4 0
Relationship_Notes 2 0
Taxonomy_Mappings 2 0
Maintenance_Notes 1 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 4 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 17 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 903
Composite Weakness/Variant 1
Weakness/Base Weakness/Variant 11
Weakness/Class Weakness/Base 3
Weakness/Variant Deprecated 2

Status Changes

From To Total
Unchanged 918
Incomplete Deprecated 2

Relationship Changes

The "Version 2.5 Total" lists the total number of relationships in Version 2.5. The "Shared" value is the total number of relationships in entries that were in both Version 2.5 and Version 2.4. The "New" value is the total number of relationships involving entries that did not exist in Version 2.4. Thus, the total number of relationships in Version 2.5 would combine stats from Shared entries and New entries.

Relationship Version 2.5 Total Version 2.4 Total Version 2.5 Shared Unchanged Added to Version 2.5 Removed from Version 2.4 Version 2.5 New
ALL 7491 7419 7391 7369 22 50 100
ChildOf 3174 3141 3135 3124 11 17 39
ParentOf 3174 3141 3135 3124 11 17 39
MemberOf 344 334 334 334 10
HasMember 344 334 334 334 10
CanPrecede 121 120 120 120 1
CanFollow 121 120 120 120 1
StartsWith 3 3 3 3
Requires 17 19 17 17 2
RequiredBy 17 19 17 17 2
CanAlsoBe 34 34 34 34
PeerOf 142 154 142 142 12

Nodes Removed from Version 2.4

CWE-ID CWE Name
None.

Nodes Added to Version 2.5

CWE-ID CWE Name
919 Weaknesses in Mobile Applications
920 Improper Restriction of Power Consumption
921 Storage of Sensitive Data in a Mechanism without Access Control
922 Insecure Storage of Sensitive Information
923 Improper Authentication of Endpoint in a Communication Channel
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
925 Improper Verification of Intent by Broadcast Receiver
926 Improper Restriction of Content Provider Export to Other Applications
927 Use of Implicit Intent for Sensitive Communication
928 Weaknesses in OWASP Top Ten (2013)
929 OWASP Top Ten 2013 Category A1 - Injection
930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
931 OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
932 OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration
934 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
935 OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control
936 OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)
937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
938 OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards

Nodes Deprecated in Version 2.5

CWE-ID CWE Name
247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
292 DEPRECATED (Duplicate): Trusting Self-reported DNS Name
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 2 Environment
R 16 Configuration
R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 106 Struts: Plug-in Framework not in Use
R 109 Struts: Validator Turned Off
R 227 Improper Fulfillment of API Contract ('API Abuse')
D 229 Improper Handling of Values
D 231 Improper Handling of Extra Values
DN 233 Improper Handling of Parameters
D 235 Improper Handling of Extra Parameters
DNR 247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
R 285 Improper Authorization
R 287 Improper Authentication
R 290 Authentication Bypass by Spoofing
DNR 291 Reliance on IP Address for Authentication
DNR 292 DEPRECATED (Duplicate): Trusting Self-reported DNS Name
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
R 310 Cryptographic Issues
D R 312 Cleartext Storage of Sensitive Information
DN 313 Cleartext Storage in a File or on Disk
DN 314 Cleartext Storage in the Registry
DN 315 Cleartext Storage of Sensitive Information in a Cookie
DN 316 Cleartext Storage of Sensitive Information in Memory
DN 317 Cleartext Storage of Sensitive Information in GUI
DN 318 Cleartext Storage of Sensitive Information in Executable
R 319 Cleartext Transmission of Sensitive Information
R 322 Key Exchange without Entity Authentication
R 326 Inadequate Encryption Strength
R 345 Insufficient Verification of Data Authenticity
R 348 Use of Less Trusted Source
DNR 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 352 Cross-Site Request Forgery (CSRF)
R 384 Session Fixation
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
R 471 Modification of Assumed-Immutable Data (MAID)
R 564 SQL Injection: Hibernate
R 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 639 Authorization Bypass Through User-Controlled Key
R 662 Improper Synchronization
R 664 Improper Control of a Resource Through its Lifetime
R 668 Exposure of Resource to Wrong Sphere
R 693 Protection Mechanism Failure
D R 694 Use of Multiple Resources with Duplicate Identifier
R 807 Reliance on Untrusted Inputs in a Security Decision
R 820 Missing Synchronization
R 898 SFP Cluster: Authentication
Detailed Difference Report
Detailed Difference Report
2 Environment
Major Relationships
Minor None
16 Configuration
Major Relationships
Minor None
20 Improper Input Validation
Major Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Related_Attack_Patterns, Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
106 Struts: Plug-in Framework not in Use
Major Relationships
Minor None
109 Struts: Validator Turned Off
Major Relationships
Minor None
123 Write-what-where Condition
Major None
Minor Demonstrative_Examples
130 Improper Handling of Length Parameter Inconsistency
Major Type
Minor None
131 Incorrect Calculation of Buffer Size
Major References
Minor None
190 Integer Overflow or Wraparound
Major References
Minor None
209 Information Exposure Through an Error Message
Major References
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Relationships
Minor None
229 Improper Handling of Values
Major Description, Type
Minor None
230 Improper Handling of Missing Values
Major Type
Minor None
231 Improper Handling of Extra Values
Major Description, Type
Minor None
232 Improper Handling of Undefined Values
Major Type
Minor None
233 Improper Handling of Parameters
Major Description, Name, Type
Minor None
234 Failure to Handle Missing Parameter
Major Type
Minor None
235 Improper Handling of Extra Parameters
Major Description, Type
Minor None
236 Improper Handling of Undefined Parameters
Major Type
Minor None
237 Improper Handling of Structural Elements
Major Type
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Type
Minor None
239 Failure to Handle Incomplete Element
Major Type
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Type
Minor None
247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Time_of_Introduction, Type
Minor None
250 Execution with Unnecessary Privileges
Major Applicable_Platforms
Minor None
285 Improper Authorization
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor Demonstrative_Examples
290 Authentication Bypass by Spoofing
Major Relationships
Minor None
291 Reliance on IP Address for Authentication
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
292 DEPRECATED (Duplicate): Trusting Self-reported DNS Name
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Relationships
Minor Description
298 Improper Validation of Certificate Expiration
Major Relationships
Minor None
299 Improper Check for Certificate Revocation
Major Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major None
Minor Demonstrative_Examples
310 Cryptographic Issues
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Relationship_Notes
Minor None
312 Cleartext Storage of Sensitive Information
Major Description, Relationships, Terminology_Notes
Minor None
313 Cleartext Storage in a File or on Disk
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
Minor None
314 Cleartext Storage in the Registry
Major Applicable_Platforms, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
Minor None
315 Cleartext Storage of Sensitive Information in a Cookie
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Terminology_Notes
Minor None
316 Cleartext Storage of Sensitive Information in Memory
Major Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Terminology_Notes
Minor None
317 Cleartext Storage of Sensitive Information in GUI
Major Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes
Minor None
318 Cleartext Storage of Sensitive Information in Executable
Major Applicable_Platforms, Description, Name, Potential_Mitigations, Terminology_Notes
Minor None
319 Cleartext Transmission of Sensitive Information
Major Relationships
Minor None
322 Key Exchange without Entity Authentication
Major Applicable_Platforms, Relationships
Minor None
326 Inadequate Encryption Strength
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
348 Use of Less Trusted Source
Major Relationships
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type
Minor None
352 Cross-Site Request Forgery (CSRF)
Major References, Relationships
Minor None
384 Session Fixation
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Relationships
Minor None
419 Unprotected Primary Channel
Major Applicable_Platforms, Relationships
Minor None
420 Unprotected Alternate Channel
Major Applicable_Platforms, Potential_Mitigations, Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
564 SQL Injection: Hibernate
Major Relationships
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major References, Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
662 Improper Synchronization
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Relationships
Minor None
809 Weaknesses in OWASP Top Ten (2010)
Major References
Minor None
820 Missing Synchronization
Major Relationships
Minor None
893 SFP Cluster: Path Resolution
Major Related_Attack_Patterns
Minor None
898 SFP Cluster: Authentication
Major Relationships
Minor Description
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major References
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017